MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d111d76676101fb237139f70a4217c5954c23c61747146672199b557ecd5c190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d111d76676101fb237139f70a4217c5954c23c61747146672199b557ecd5c190
SHA3-384 hash: 9561a23beb46548d2e4fb75875059f36ec82b516bbaf7c38d3630e83a8fef5fbf680315cbd9f0dcce45867780a7e387c
SHA1 hash: 196a77eb4082cb9a7e695390cdd8d0d689e517d8
MD5 hash: 25d28d8865780b7fd197f73292d8a7dc
humanhash: robert-johnny-violet-delta
File name:Scan Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:882'176 bytes
First seen:2021-09-06 12:48:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sJmWMzH+hB/pzxJi3X3+b6umJBDARbeqTJg/RIdoeV3zUYFQif3EH8HwkqIH:MLpXk+b6umJBDAJeqtgbMDBF3fUMwkb
Threatray 9'578 similar samples on MalwareBazaar
TLSH T1E615AE007BFC5E2AE5EF1B39E074190497F9F447AABAD78D5804ADAA3C937404A513B3
dhash icon d4923292e2ccb4c0 (13 x AgentTesla, 7 x Formbook, 3 x Loki)
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan Document.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 13:21:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e5ee89e8-65fb-4a0c-931c-a14e43ae23ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185673/
Detection(s):
SecuriteInfo.com.Artemis25D28D886578.16150.26961.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
DNS request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28ab2be1-407b-471b-bf82-4a57f6664266
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846004
Signature
.NET source code contains potential unpacker
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478441 Sample: Scan Document.exe Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 40 youtube.com 2->40 42 outlook.com 2->42 44 2 other IPs or domains 2->44 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Found malware configuration 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 8 other signatures 2->64 8 Scan Document.exe 6 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\Scan Document.exe, PE32 8->34 dropped 36 C:\...\Scan Document.exe:Zone.Identifier, ASCII 8->36 dropped 38 C:\Users\user\...\Scan Document.exe.log, ASCII 8->38 dropped 66 Writes to foreign memory regions 8->66 68 Uses powershell Test-Connection to delay payload execution; 8->68 70 Injects a PE file into a foreign processes 8->70 12 Scan Document.exe 8->12         started        16 powershell.exe 18 8->16         started        18 powershell.exe 19 8->18         started        20 4 other processes 8->20 signatures6 process7 dnsIp8 46 mail.a2zfacilityservices.in 103.67.239.162, 49731, 49732, 587 OASISGSSERVICES-ASOASISGSSERVICESIN India 12->46 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->72 74 Tries to steal Mail credentials (via file access) 12->74 76 Tries to harvest and steal ftp login credentials 12->76 78 2 other signatures 12->78 48 google.com 16->48 22 conhost.exe 16->22         started        50 youtube.com 18->50 24 conhost.exe 18->24         started        52 192.168.2.1 unknown unknown 20->52 54 outlook.com 20->54 56 2 other IPs or domains 20->56 26 conhost.exe 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d111d76676101fb237139f70a4217c5954c23c61747146672199b557ecd5c190/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 01:12:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ei5oztwcap3enytt5ykiil4lfkmepdboryumzzbtg2vp3gvygia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06b04e6a349914e395b248b9c4d9cfaf028909c0871e3e78f8b6367f36f9eafd
AgentTesla
6fe5e475ec18550353f2e1e2affdbeb8ea72603f9059af42c36ee24f4ce08c32
AgentTesla
9a065e7ac958ecf728cee5521723da7d6dce2e08184701ba88955fd5b16b8e04
AgentTesla
b85e4c358cd20b0ad6e0bcdb93e578ee2dc2a898cfa60da1f39be1ea8424ce92
AgentTesla
c771be7912e20d4522cdcfed63feac0e59a91dc053ff96faf862be6a8f8dfa1b
AgentTesla
cac3ab8433e775a539ed661fb2d9caf7799213007b9f8bc01080557c452ccc41
AgentTesla
cb8a7d1d9c86d996899769e9abac0b326053dae7f9d8fc226aabfa89f3f8d16e
AgentTesla
e694eadb2f24bf7de44a2cc1d1fbc3d2e84d83d6cac2be444aef377bea95cc29
AgentTesla
f9af6e0e93f066a5788d1c5d0014204ff29c0080727647857e8f604885e552d8
AgentTesla
+ 9'568 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210906-p2cbaaecel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aabe6c929f79fa2d6e5dfa5c817e5947fec36b17e3e53799f5ed8b19cc59d599
MD5 hash:
fc5efb45c0279b09ea60a7dd20c3ffae
SHA1 hash:
5ec17bc1f3e6b573158c95444cef8ee9508b325a
Link:
https://www.unpac.me/results/c3d26b59-ab07-4593-8db8-1fe5d9f8f325/
SH256 hash:
b350cc75c6f360d83cd90a3b52632590f375cc1c14023bd250afddc64d56a3c8
MD5 hash:
47bbdf431e4b4e6a8e0d90d0ffeeb0fd
SHA1 hash:
b08de8ee5b67d7ed58b548515a55b97844f94575
Link:
https://www.unpac.me/results/c3d26b59-ab07-4593-8db8-1fe5d9f8f325/
SH256 hash:
bed800ec00ecc7be423f36ad7eb97d1a64e5344d47634c263d2b0d2b1fbe91a9
MD5 hash:
a06d1976519a94d8cd58cb3e15922ccc
SHA1 hash:
074a02bcc7942e124f5b0114178ab6694867357f
Link:
https://www.unpac.me/results/c3d26b59-ab07-4593-8db8-1fe5d9f8f325/
SH256 hash:
d111d76676101fb237139f70a4217c5954c23c61747146672199b557ecd5c190
MD5 hash:
25d28d8865780b7fd197f73292d8a7dc
SHA1 hash:
196a77eb4082cb9a7e695390cdd8d0d689e517d8
Link:
https://www.unpac.me/results/c3d26b59-ab07-4593-8db8-1fe5d9f8f325/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d111d7667610/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d111d76676101fb237139f70a4217c5954c23c61747146672199b557ecd5c190

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/185673/

Comments